App Engine Requirement

If your Firestore database is linked to an App Engine app, then your database requires an active App Engine app in the same project. Without the active App Engine app, read and write access to the database is disabled.

Active App Engine requirement

An active App Engine app means that an app exists in the same project and that this app is not disabled. It does not require that app to have any usage. The linked app and database must exist in the same region.

If you disable your App Engine app, you also disable access to the Firestore database linked to that app.

Requirement update

In a future release of Firestore, new databases will provision unlinked from App Engine by default. Additionally, all databases, both existing and newly created, will have the following requirements:

  • To manage your database from the Google Cloud console and the gcloud CLI, the Firestore API must be enabled in the project. This is required for both Firestore in Native mode and Firestore in Datastore mode databases.
  • When executed from the Google Cloud console or the gcloud CLI, the administrative operations below will require the following IAM permissions:

    • Create database: datastore.databases.create
    • View database metadata: datastore.databases.getMetadata
    • Edit database metadata: datastore.databases.update
If your database will be affected by the change in requirements, you will see the following notice in the Firestore pages of the Google Cloud console:

The Firestore API will soon be required to administer your database. Please enable the API and ensure you have the required permissions.

Verify your IAM permissions to ensure your access to the database is not affected. If you use a custom role, it might lack the datastore.databases.getMetadata permission. datastore.databases.getMetadata does support custom roles.

Update IAM permissions

Verify that the accounts accessing the database through the Google Cloud console have the required permissions:

  • Create database: datastore.databases.create
  • View data: datastore.databases.getMetadata
  • Edit data: datastore.databases.update

Predefined roles such as Datastore User and Datastore Viewer include the required permissions. If you created any custom IAM roles, you may need to update them to include the permissions above.

If you use a custom role to manage access to the console, ensure continued access by updating your custom roles with datastore.databases.getMetadata or by using a predefined role.

If you disable a linked App Engine app, you also disable read and write access to your database. If this happens, the Firestore Data page in Google Cloud console presents the option to unlink your database from the App Engine app. Click Unlink Database to begin the process.

Go to Firestore Data

You can also unlink your database via REST API.

curl -X PATCH
--header "Authorization: Bearer $(gcloud auth print-access-token)" \
--header "Content-type: application/json" \
--data '{"app_engine_integration_mode": "DISABLED"}' \
"https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)?updateMask=appEngineIntegrationMode"

When you unlink your database, you can disable App Engine without affecting access to your database. Unlinking is a permanent operation. It may take up to five minutes for the unlinking operation to take effect.

You can also check unlink state via REST API.

curl  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
--header "Content-type: application/json" \
"https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)"